PCI DSS 4.0.1 Self-Assessment Checklist
This document provides a QSA-ready self-assessment mapping Gatelithix Gateway controls to PCI DSS 4.0.1 requirements. For detailed evidence and deployed verification commands, see PCI Verification Evidence.
Scope
| Property | Value |
|---|---|
| Assessment Type | SAQ-D Service Provider (subset) |
| CDE Boundary | PCI VPC (10.1.0.0/20) + Vault Cloud Run service |
| In-Scope Requirements | 1, 3, 4, 6, 7, 8, 10, 11 |
| Out-of-Scope Requirements | 2 (vendor defaults — Cloud Run managed), 5 (malware — serverless), 9 (physical security — GCP responsibility), 12 (security policies — organizational) |
| Cardholder Data Types | PAN (encrypted at rest via Cloud KMS HSM) |
| PAN Storage | PCI Cloud SQL database, encrypted with HSM-backed keys |
| PAN Transmission | TLS-encrypted on all paths: HTTPS for service-to-service, sslmode=require + ssl_mode=ENCRYPTED_ONLY for database connections, VPC peering for cross-zone (no public internet transit) |
| Service Provider Level | Level 1 posture (designed from day 1) |
QSA Yearly Audit Package
When a QSA sends an Assessment Request Tracker workbook, run
make pci-qsa-audit-package to build the response zip. The command reads
the QSA-supplied .xlsx from compliance/PCI-QSA-AuditAsk/, walks the
control matrix to resolve evidence per sub-requirement, and emits a dated
zip containing the filled Excel, renamed evidence files, a gap report, and
a manifest into compliance/PCI-QSA-AuditAsk/<YYYY-MM-DD>/.
By default the build uses cached GCP infra snapshots and stamps “as of
<date>” on infra-derived cells. Use make pci-qsa-audit-package-with-gcp
to refresh snapshots first via gcloud ADC.
Re-runs regenerate the dated subfolder; edit the dated copy of the
FILLED.xlsx, not the source workbook — manual edits to the source are lost
on re-run. Review the dated subfolder’s gap-report.md before sending the
zip to the QSA.
Assessment Summary
Requirement 1: Install and Maintain Network Security Controls
| PCI Control | Requirement | Evidence Type | Evidence Location | Status |
|---|---|---|---|---|
| 1.2.1 | Network segmentation controls | Terraform | infra/terraform/modules/vpc/main.tf — deny_all_ingress and deny_all_egress at priority 65534 | Verified |
| 1.3.1 | Inbound traffic to CDE restricted | Terraform | infra/terraform/pci/network.tf — allow_core_to_pci (TCP 443, source 10.0.0.0/20) | Verified |
| 1.3.2 | Outbound traffic from CDE restricted | Terraform | infra/terraform/pci/network.tf — allow_psp_egress (TCP 443), allow_restricted_apis_egress (TCP 443, dest 199.36.153.4/30) + Cloud NAT: infra/terraform/core/network.tf and pci/network.tf — Cloud NAT on both VPCs provides auditable egress with consistent source IPs and configurable NAT logging. | Verified |
| 1.4.1 | No direct internet access to CDE | Terraform | infra/terraform/pci/cloudrun.tf — vault service ingress = “INGRESS_TRAFFIC_ALL”. Network isolation enforced at VPC firewall level: pci-vpc-allow-core-ingress restricts inbound traffic to source 10.0.0.0/20 (core VPC only), TCP 443 only. Cloud Run ingress setting is ALL because the gateway calls vault over VPC peering (private IPs), not via Cloud Run’s public URL. | Verified |
| 1.3.x | Migration pipeline CDE isolation | Terraform + CI/CD | Migration Cloud Run Jobs run inside VPC via connectors (core-vpc-connector, pci-vpc-connector). PCI migration images stored in PCI-only Artifact Registry. No cross-CDE image dependencies. | Verified |
Requirement 3: Protect Stored Account Data
| PCI Control | Requirement | Evidence Type | Evidence Location | Status |
|---|---|---|---|---|
| 3.5.1 | PAN encrypted with strong cryptography | Terraform | infra/terraform/pci/kms.tf — pan_encryption_key, HSM protection, AES-256 symmetric | Verified |
| 3.5.1.1 | PAN fingerprint uses keyed hash | Terraform | infra/terraform/pci/kms.tf — pan_fingerprint_key, HMAC_SHA256, HSM protection | Verified |
| 3.6.1 | Cryptographic key management | Terraform | infra/terraform/pci/kms.tf — 90-day auto-rotation, prevent_destroy lifecycle | Verified |
Requirement 4: Protect Cardholder Data with Strong Cryptography During Transmission
| PCI Control | Requirement | Evidence Type | Evidence Location | Status |
|---|---|---|---|---|
| 4.2.1 | PAN encrypted during transmission | Terraform + Code | External: Google-managed TLS on Global HTTPS LB (Cloud Armor). Internal: Cloud SQL ssl_mode = ENCRYPTED_ONLY enforces TLS on all database connections; app uses sslmode=require (pgx). Cross-zone calls: VPC peering + TCP 443 only. No public internet transit for PAN. | Verified |
| 4.2.1.1 | Trusted certificates used | Terraform | Google-managed TLS certificates on Cloud Run services and Cloud SQL instances. Cloud SQL server certs issued by Google CA. Internal calls use identity tokens + HTTPS. | Verified |
Requirement 6: Develop and Maintain Secure Systems and Software
| PCI Control | Requirement | Evidence Type | Evidence Location | Status |
|---|---|---|---|---|
| 6.3.2 | Custom software reviewed before release | CI/CD | .github/workflows/ci.yml — gosec static analysis, Trivy container scan, Go test suite | Verified |
| 6.5.1 | Change control for system components | CI/CD + Terraform | Automated migration pipeline: schema changes applied via goose with DDL-only validation. Migration files contain only CREATE TABLE/ALTER TABLE — no SELECT/INSERT/UPDATE/DELETE of cardholder data. Verified by CI migration validation job. | Verified |
| 6.5.2 | Least-privilege for migration execution | Terraform | Core migrations run as gateway-sa, PCI migrations run as vault-sa. Credentials injected from Secret Manager at runtime — never baked into images. | Verified |
| 6.5.3 | Input validation — request size limits | Code | apps/gateway/main.go — middleware.MaxBodySize(1048576) limits all request bodies to 1 MB using http.MaxBytesReader. Oversized requests rejected with 413 before processing. Defense-in-depth against payload-based DoS. | Verified |
Requirement 7: Restrict Access to System Components and Cardholder Data by Business Need to Know
| PCI Control | Requirement | Evidence Type | Evidence Location | Status |
|---|---|---|---|---|
| 7.2.1 | Access based on need to know | Terraform | infra/terraform/pci/kms.tf — KMS IAM restricted to vault_sa_email only | Verified |
| 7.2.2 | Privileges assigned by function | Terraform | Separate SAs: gateway_sa, vault_sa, connector_sa with role-specific IAM bindings | Verified |
| 7.2.3 | Default deny all | Terraform | modules/vpc/main.tf — deny-all baseline. Cloud Run IAM requires explicit invoker grants. | Verified |
| 7.2.4 | Application-level access control | Code | pkg/auth/rbac.go — RBAC middleware enforces role-based access on all /admin endpoints. Insufficient roles return HTTP 403. Four roles: platform_admin, platform_support, merchant_admin, merchant_user. | Verified |
| 7.2.5 | Data access scoped by entity | Code | All payment read queries filter by merchant_id from auth context (merchant-scoped reads). Cross-tenant payment IDs return 404 to avoid information disclosure. | Verified |
Requirement 8: Identify Users and Authenticate Access to System Components
| PCI Control | Requirement | Evidence Type | Evidence Location | Status |
|---|---|---|---|---|
| 8.3.1 | MFA for CDE access | Configuration | Auth0 tenant MFA policy (Guardian + TOTP) for merchant portal admin access | Verified |
| 8.3.2 | Strong cryptography for authentication | Code | JWT validation (RS256 via JWKS). API keys hashed with SHA-256. Per-merchant HMAC secrets: each API key has its own unique HMAC secret stored in Cloud SQL (db/migrations/023_add_hmac_secret_to_api_keys.sql). Resolved at request time by pkg/hmac/resolver.go. Satisfies unique cryptographic credential per entity requirement. | Verified |
| 8.4.2 | MFA for remote CDE access | Configuration | GCP IAM organization policy requires MFA for console and API access | Verified |
| 8.6.1 | Service accounts least privilege | Terraform | Per-service SAs, no wildcard roles, no SA key files (workload identity) | Verified |
Requirement 9: Restrict Physical Access to Cardholder Data
| PCI Control | Requirement | Evidence Type | Evidence Location | Status |
|---|---|---|---|---|
| 9.x | Physical security | N/A | Skipped — GCP responsibility. Google Cloud data centers hold SOC 2 Type II and PCI DSS certifications. Gatelithix runs entirely on Cloud Run (serverless). | GCP |
Requirement 10: Log and Monitor All Access to System Components and Cardholder Data
| PCI Control | Requirement | Evidence Type | Evidence Location | Status |
|---|---|---|---|---|
| 10.2.1 | Audit logs enabled | Terraform | infra/terraform/pci/logging.tf — pci_audit_sink captures cloudaudit.googleapis.com logs | Verified |
| 10.3.3 | Audit logs tamper-proof | Terraform | infra/terraform/pci/logging.tf — locked = true on logging bucket | Verified |
| 10.5.1 | Audit log retention >= 12 months | Terraform | infra/terraform/pci/logging.tf — 365-day retention (logging bucket) + 365-day locked retention (storage archive) | Verified |
| 10.6.3 | Audit log archival | Terraform | infra/terraform/pci/logging.tf — NEARLINE storage bucket with versioning, locked retention, pci_audit_archive_sink | Verified |
| 10.2.x | Migration execution audit trail | CI/CD + Cloud Run | Every migration execution is logged in Cloud Run Job execution history and Cloud Logging with full traceability to the triggering commit SHA. Job success/failure visible via gcloud run jobs executions list. | Verified |
Requirement 11: Test Security of Systems and Networks Regularly
| PCI Control | Requirement | Evidence Type | Evidence Location | Status |
|---|---|---|---|---|
| 11.3.1 | Internal vulnerability scans | CI/CD | .github/workflows/ci.yml — gosec static analysis on every PR | Verified |
| 11.3.2 | External vulnerability scans | CI/CD | .github/workflows/ci.yml — Trivy container scan (HIGH+CRITICAL severity, exit-code 1) | Verified |
| 11.6.1 | Change detection on payment pages | N/A | Not applicable — API-only service, no hosted payment pages | N/A |
Verification Procedures
For each control marked Verified above, the PCI Verification Evidence page provides:
- Exact Terraform resource references with file paths and attribute values
gcloudcommands to verify deployed infrastructure matches the Terraform configuration- Expected command output for each verification step
Assessment Notes
-
Req 9 Physical Security: Explicitly skipped per GCP shared responsibility model. Google Cloud maintains physical security controls for all data center facilities. Reference: Google Cloud Compliance .
-
Req 11.6.1 Payment Page Integrity: Not applicable. Gatelithix Gateway is a backend API service. Merchants integrate via REST API and client SDKs. No payment pages are hosted by the gateway.
-
PSP Egress Scope: The
allow_psp_egressfirewall rule currently allows broad TCP 443 egress (0.0.0.0/0). A future hardening task will narrow this to specific PSP IP ranges (Stripe, NMI, FluidPay). -
MFA Verification: Auth0 MFA configuration and GCP IAM MFA policies are verified through administrative console review, not Terraform. These are organizational controls maintained by the security team.